[Freeipa-users] pki-tomcatd fails to start

Rob Crittenden rcritten at redhat.com
Fri Jan 6 20:43:28 UTC 2017 

Jeff Goddard wrote:
> I've done this.
> [root at id-management-1 ipa]# date
> Sun Jan  1 01:12:27 EST 2017
> 
>  getcert list give me this as the first entry:
> 
> Request ID '20150116162120':
>         status: CA_UNREACHABLE
>         ca-error: Server at
> https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
> found).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> <http://INTERNAL.EMERLYN.COM>
>         subject: CN=id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
> <http://INTERNAL.EMERLYN.COM>
>         expires: 2017-01-16 16:21:20 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
> 
> Restarting cermonger multiple times doesn't help.

Sorry, I missed a step. When you go back in time you first need to
restart IPA. The CA isn't up.

rob

> 
> Jeff
> 
> 
> 
> 
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> 
>     Jeff Goddard wrote:
>     > Flo,
>     >
>     > I'm not able to access the link you posted. I did find this thread
>     > though
>     >
>     https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>
>     >
>     <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
>     <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>>
>     > and have set the time back and resubmitted a request. Still no
>     success.
>     > Any further hints?
> 
>     You need to stop ntpd, go back in time to when the certs are valid and
>     restart the certmonger service.
> 
>     Then use getcert list to monitor things. You really only care about the
>     CA subsystem certs are this point.
> 
>     You may need to restart certmonger more than once to get all the certs
>     updated (you can manually call getcert resubmit -i <id> if you'd
>     prefer).
> 
>     Once that is done return to present day, restart ntpd then ipactl
>     restart.
> 
>     rob
> 
> 
> 
> 
> -- 
>

More information about the Freeipa-users mailing list